Create and use FlashArray PVCs
After installing Portworx CSI to work with your FlashArray, you need to create PVCs to make storage available to your application.
Create a StorageClass
Create a StorageClass with a specified storage type and performance settings.
- FlashArray Block Volumes
- FlashArray File Services
For FlashArray block storage, set the backend type to "pure_block". You can also configure parameters like IOPS and bandwidth.
If you need the mount path to have 777 permissions, set parameters.allow_others to true in your StorageClass. This setting grants read, write, and execute access to all users. Use with caution to avoid unintended access.
Example StorageClass specification:
- 
Create a new StorageClass to add parameters such as IOPSandbandwidth, as shown below:- max_bandwidth The bandwidth limit must range between 1 MB/s and 512 GB/s.
- max_iops: The IOPS limit must range between 100 and 100 million.
- (Optional) secure: Set this to trueto enable encryption on PVCs that reference this StorageClass. A cluster-wide secret key must be created for encryption. For more information, see Encrypt FADA volumes.
- allowedTopologies - Uses topology labels to select arrays with matching labels for volume placement.
- volumeBindingMode: If you have enabled CSI topology, ensure you specify the volumeBindingMode: WaitForFirstConsumerparameter along withallowedTopologies. ThevolumeBindingMode: WaitForFirstConsumerdelays volume binding until the Kubernetes scheduler selects a suitable node that matches theallowedTopologieslabels.
 kind: StorageClass
 apiVersion: storage.k8s.io/v1
 metadata:
 name: sc-fa-direct-access
 provisioner: pxd.portworx.com
 parameters:
 backend: "pure_block"
 #pure_fa_pod_name: "<fa-pod-name>" Use this parameter to specify the Pure FlashArray pod within the realm defined in pure.json when using the secure multi-tenancy feature of FlashArray.
 max_bandwidth: "10G"
 max_iops: "30000"
 #allow_others: true # uncomment this line if you need the mount path to have 777 permissions.
 #secure: "true" # Uncomment this line to encrypt all PVCs associated with this `StorageClass`
 # Below lines are required only if you are using CSI topology
 volumeBindingMode: WaitForFirstConsumer
 allowedTopologies:
 - matchLabelExpressions:
 - key: topology.portworx.io/zone
 values:
 - <zone-1>
 - key: topology.portworx.io/region
 values:
 - <region-1>
- 
Apply this YAML to your cluster to create the StorageClass: kubectl apply -f sc.yamlstorageclass.storage.k8s.io/sc-fa-direct-access created
For FlashArray file services, set the backend type to "pure_fa_file".  You can also configure parameters like quota policy and mount options.
Ensure that you have configured FlashArray to use file services. For more information, see Configure FlashArray file services
- 
Define a StorageClasswith the appropriate storage type and performance settings. For FlashArray file system, the backend type ispure_fa_file.Required parameters: - backend: "pure_fa_file"- Specifies that the volume is an FA file volume.
- pure_nfs_policy- PX-CSI expects that the NFS policy is pre-created on FA setups. If the policy does not exist, the request will fail.
- pure_fa_file_system- Specifies the file system where the volume needs to be placed. If the file system does not exist in the FlashArray setup, the volume create request fails.
 Optional parameters: - pure_quota_policy- If provided, associates the volume with a quota policy to enforce a size limit.
- pure_nfs_endpoint- Used when there are multiple endpoints per array. Overrides the default- NFSEndPointspecified in- pure.json.
- allowedTopologies- Uses topology labels to select arrays with matching labels for volume placement.
- volumeBindingMode: If you have enabled CSI topology, ensure you specify the- volumeBindingMode: WaitForFirstConsumerparameter along with- allowedTopologies. The- volumeBindingMode: WaitForFirstConsumerdelays volume binding until the Kubernetes scheduler selects a suitable node that matches the- allowedTopologieslabels.
- mountOptions- Overrides default mount options. Supports only TCP, not UDP. You can also specify multiple security options using the- mountOptions.secfield . By default, NFS uses- sec=auth_sys, but support is also available for Kerberos-based authentication options, including- sec=krb5(authentication only),- sec=krb5i(authentication and integrity), and- sec=krb5p(authentication, integrity, and encryption).
 Example StorageClassYAML:kind: StorageClass
 apiVersion: storage.k8s.io/v1
 metadata:
 name: fa-file-sc
 provisioner: pxd.portworx.com
 parameters:
 backend: "pure_fa_file"
 pure_nfs_policy: "test-policy"
 pure_fa_file_system: "name01"
 pure_quota_policy: "100g_policy"
 pure_nfs_endpoint: <nfs-endpoints-of-fa>
 mountOptions:
 - nfsvers=3
 - tcp
 # Below lines are required only if you are using CSI topology
 volumeBindingMode: WaitForFirstConsumer
 allowedTopologies:
 - matchLabelExpressions:
 - key: topology.portworx.io/zone
 values:
 - <zone-1>
 - key: topology.portworx.io/region
 values:
 - <region-1>
- 
Apply this YAML to your cluster: kubectl apply -f sc.yamlstorageclass.storage.k8s.io/fa-file-sc created
Create a PVC
- 
To create a PVC, define the specifications and reference the StorageClass you previously created by specifying its name in the spec.storageClassNamefield.- (Optional) metadata.annotations.px/secure:: If encryption is not enabled in the StorageClass and you want to enable it for a specific PVC, set this totrueto enable encryption on a PVC. A cluster-wide secret key must be created for encryption. For more information, see Encrypt FADA volumes.
 Example PVC specification: - FlashArray Block Volumes
- FlashArray File Services
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
 name: pure-claim-fa
 annotations:
 #px/secure: "true" # Uncomment this line to encrypt only this PVC.
 labels:
 app: nginx
 spec:
 accessModes:
 - ReadWriteOnce
 resources:
 requests:
 storage: 20Gi
 storageClassName: sc-fa-direct-accesskind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
 name: pure-claim-fa
 labels:
 app: nginx
 spec:
 accessModes:
 - ReadWriteMany
 resources:
 requests:
 storage: 20Gi
 storageClassName: fa-file-scSave this YAML in a file pvc.yaml.
- (Optional) 
- 
Apply this YAML to your cluster: kubectl apply -f pvc.yamlpersistentvolumeclaim/pure-claim-fa created
Mount a PVC to a pod
After creating PVCs, the storage becomes available for your application. You can use the storage by mounting and attaching the PVC to the application pod.
- 
Create a Pod and specify the PVC name in the persistentVolumeClaim.claimNamefield. Here is an example pod specification:kind: Pod
 apiVersion: v1
 metadata:
 name: nginx-pod
 labels:
 app: nginx
 spec:
 volumes:
 - name: pure-vol
 persistentVolumeClaim:
 claimName: pure-claim-fa
 containers:
 - name: nginx
 image: nginx
 volumeMounts:
 - name: pure-vol
 mountPath: /data
 ports:
 - containerPort: 80
- 
To control pod scheduling based on node labels, add the nodeAffinityfield to the Pod specification. For example:spec:
 affinity:
 nodeAffinity:
 requiredDuringSchedulingIgnoredDuringExecution:
 nodeSelectorTerms:
 - matchExpressions:
 - key: topology.portworx.io/zone
 operator: In
 values:
 - zone-0
 - key: topology.portworx.io/region
 operator: In
 values:
 - region-0
Verify pod status
Once the pod configuration is applied, monitor the pod’s status with:
watch kubectl get pods 
Wait for the STATUS to show as Running for a pod. Once the pod is running, you can verify that it is connected as a host for the volume.
(Optional) Encrypt FADA volumes
PX-CSI supports encryption for FADA volumes. To encrypt FADA volumes, create a cluster-wide encryption key and enable encryption in the StorageClass or PVC manifest.
Encryption is not supported for FADA raw block volumes.
Create a cluster-wide secret key for encryption
To ensure consistent and secure encryption of PersistentVolumeClaims (PVCs), use a cluster-wide encryption key. This guarantees that all encrypted PVCs in the cluster adhere to a uniform and secure encryption standard. Follow these steps to create the key:
- 
Create a Kubernetes Secretfor the encryption key:kubectl -n <namespace> create secret generic px-vol-encryption \
 --from-literal=cluster-wide-secret-key=<value>
- 
Configure Portworx CSI to use cluster-wide-secret-keyas the default encryption key for all volumes:PX_POD=$(kubectl get pods -l name=portworx -n <namespace> -o jsonpath='{.items[0].metadata.name}')
 kubectl exec $PX_POD -n <namespace> -- /opt/pwx/bin/pxctl secrets set-cluster-key \
 --secret cluster-wide-secret-key
- PX-CSI checks for the cluster-wide encryption key in the Portworx namespace by default. If you create it in a different namespace, set the PX_SECRETS_NAMESPACEenvironment variable in theStorageClustermanifest to specify the correct namespace.
- If you modify a Kubernetes Secretafter creating a cluster-wide encryption key, use the--overwriteflag in the command above to update the key.
Enable encryption
After creating the cluster-wide secret key, follow one of the options below to encrypt FADA volumes:
- To encrypt all PVCs associated with a StorageClass, enable encryption by setting thesecureparameter totruein theStorageClassspecification.
- To encrypt a specific PVC, add the annotation px/secure: "true"in the PVC specification.